On Wed, Mar 23, 2016 at 02:56:55PM -0700, Pravin B Shelar wrote:
> Currently arp and nd snooping is pretty loose. That causes
> unnecessary entries in neighbour cache. Following patch
> adds required checks.
> Thanks Cascardo for detailed comment msg.
>
> CC: Thadeu Lima de Souza Cascardo <casca...@redhat.com>
> Signed-off-by: Pravin B Shelar <pshe...@nicira.com>
Thanks for the change, Pravin.
Acked-by: Thadeu Lima de Souza Cascardo <casca...@redhat.com>
> ---
> lib/tnl-neigh-cache.c | 13 ++++++++++++-
> tests/ofproto-dpif.at | 2 +-
> tests/tunnel-push-pop.at | 4 ++--
> 3 files changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/lib/tnl-neigh-cache.c b/lib/tnl-neigh-cache.c
> index a62402c..8650e73 100644
> --- a/lib/tnl-neigh-cache.c
> +++ b/lib/tnl-neigh-cache.c
> @@ -147,7 +147,9 @@ static int
> tnl_arp_snoop(const struct flow *flow, struct flow_wildcards *wc,
> const char name[IFNAMSIZ])
> {
> - if (flow->dl_type != htons(ETH_TYPE_ARP)) {
> + if (flow->dl_type != htons(ETH_TYPE_ARP) ||
> + flow->nw_proto != ARP_OP_REPLY ||
> + eth_addr_is_zero(flow->arp_sha)) {
> return EINVAL;
> }
>
> @@ -170,6 +172,15 @@ tnl_nd_snoop(const struct flow *flow, struct
> flow_wildcards *wc,
> flow->tp_src != htons(ND_NEIGHBOR_ADVERT)) {
> return EINVAL;
> }
> + /* - RFC4861 says Neighbor Advertisements sent in response to unicast
> Neighbor
> + * Solicitations SHOULD include the Target link-layer address.
> However, Linux
> + * doesn't. So, the response to Solicitations sent by OVS will include
> the
> + * TLL address and other Advertisements not including it can be
> ignored.
> + * - OVS flow extract can set this field to zero in case of packet
> parsing errors.
> + * For details refer miniflow_extract()*/
> + if (eth_addr_is_zero(flow->arp_tha)) {
> + return EINVAL;
> + }
>
> memset(&wc->masks.ipv6_src, 0xff, sizeof wc->masks.ipv6_src);
> memset(&wc->masks.ipv6_dst, 0xff, sizeof wc->masks.ipv6_dst);
> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
> index 0991444..da29ac2 100644
> --- a/tests/ofproto-dpif.at
> +++ b/tests/ofproto-dpif.at
> @@ -5483,7 +5483,7 @@ AT_CHECK([ovs-appctl ovs/route/add 1.1.2.92/24 br0],
> [0], [OK
> AT_CHECK([ovs-ofctl add-flow br0 action=normal])
>
> dnl Prime ARP Cache for 1.1.2.92
> -AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b6,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=1,sha=f8:bc:12:44:34:b6,tha=00:00:00:00:00:00)'])
> +AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b6,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=2,sha=f8:bc:12:44:34:b6,tha=00:00:00:00:00:00)'])
>
> dnl configure sflow on int-br only
> ovs-vsctl \
> diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at
> index 583abb5..a6118a8 100644
> --- a/tests/tunnel-push-pop.at
> +++ b/tests/tunnel-push-pop.at
> @@ -37,8 +37,8 @@ AT_CHECK([ovs-appctl ovs/route/add 1.1.2.92/24 br0], [0],
> [OK
> AT_CHECK([ovs-ofctl add-flow br0 action=normal])
>
> dnl Check ARP Snoop
> -AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b6,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=1,sha=f8:bc:12:44:34:b6,tha=00:00:00:00:00:00)'])
> -AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b7,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.93,tip=1.1.2.88,op=1,sha=f8:bc:12:44:34:b7,tha=00:00:00:00:00:00)'])
> +AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b6,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=2,sha=f8:bc:12:44:34:b6,tha=00:00:00:00:00:00)'])
> +AT_CHECK([ovs-appctl netdev-dummy/receive br0
> 'recirc_id(0),in_port(100),eth(src=f8:bc:12:44:34:b7,dst=ff:ff:ff:ff:ff:ff),eth_type(0x0806),arp(sip=1.1.2.93,tip=1.1.2.88,op=2,sha=f8:bc:12:44:34:b7,tha=00:00:00:00:00:00)'])
>
> AT_CHECK([ovs-appctl tnl/neigh/show], [0], [dnl
> IP MAC Bridge
> --
> 1.8.3.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
